Five Essential Capabilities for Airtight Cloud Security

Transcription

1 Five Essential Capabilities for Airtight Cloud Security

2 SECURITY IN THE CLOUD REQUIRES NEW CAPABILITIES It is no secret; security and compliance are at the top of the list of concerns tied to cloud adoption. According to a recent 2017 Cloud Security survey to over 350,000 members of the LinkedIn Information Security Community, IT pros have general concerns about security in the cloud (33 percent), in addition to data loss and leakage risks (26 percent) and legal and regulatory compliance (24 percent) 1. The number of reported breaches in enterprise datacenter environments still far exceeds the reported exposure from cloud platforms, but as businesses start using public clouds to run their mission-critical workloads, the need for enterprise-grade security in the cloud will increase. General cloud security isn t lacking by any means, with IaaS providers such as AWS offering a multitude of tools to help you secure your cloud environment. Implementing these tools however can prove daunting; according to a recent 2017 Gartner Report titled Assessing Cloud Security Monitoring and Compliance Capabilities in AWS. Third-party solutions are often necessary for full security life cycle assessment, compliance and GRC (Governance, Risk and Compliance) 2. But IaaS security is built on a model of shared responsibility between the cloud service provider, such as Amazon Web Services (AWS), and the customer. End-to-end security relies on enterprise customers establishing and enforcing strict policies and processes. Many organizations fail to secure their vital infrastructure end-to-end because they do not realize that security in the public cloud is fundamentally different from enterprise datacenter security. Today s enterprise datacenter has several layers of security measures. Connection policies and access controls are handled with care by firewalls, routers, and switches that designate zones, control which protocols are allowed, and revoke access to unauthorized users and machine processes. Supplementary security, such as intrusion prevention systems and malware protection, is often in place as well. The cloud is very different from the datacenter. The cloud is highly dynamic, flexible and instantaneously configurable; simple changes to security policies can expose private resources to the world. There are a lot of moving parts which means there can be oversights and errors. Configuration management, patch management, connection policies and access control require attention to detail. Public cloud environments require a centralized, consolidated platform for security that is built from the ground up for the cloud, and allows administrators to monitor and actively enforce security policies. The tools and techniques that worked to secure datacenter environments fail miserably in the cloud. Server-based controls such as firewall policies, file integrity monitoring (FIM), logging, and strong access controls may have to be applied to each workload, but they should be controlled from a single dashboard. Following is a checklist of the five capabilities enterprise customers need to look for when selecting a platform to manage infrastructure security in the public cloud. 1 POWERFUL VISUALIZATION - YOU CANNOT FIX WHAT YOU CANNOT SEE Figure 1: Powerful Visualization for Complete Security Control 1 Crowd Research Partners, Cloud Security 2017 Spotlight Report, Holger Schulze, March 29, Gartner: Technical Professional Advice: Assessing Cloud Security Monitoring and Compliance Capabilities in AWS, Mike Morrato, February 13,

3 Public cloud providers such as AWS have built rich security features and granular controls, allowing administrators to manage which workloads can talk to each other and which are exposed to the whole world. As cloud environments grow across multiple virtual private clouds (VPCs), accounts and regions, it becomes increasingly challenging to understand and correctly configure security policies. Mapping relationships with a visualization tool can help administrators understand the network security posture and identity configuration errors. Taking the time to complete this process is even more critical in dynamic environments, where cloud elasticity means new workloads are being spun up on demand. NETWORK SEGMENTATION USING AGENTLESS, CLOUD-NATIVE SECURITY CONTROLS2 Figure 2: Network Segmentation with Agentless Security Controls Once a workload is created OS, apps and connections determined network security policies such as AWS security groups (SGs) need to be put in place to segment traffic and control access to servers. Developers and operations teams usually just accept the default security policies, which are overly permissive, allowing any connection from anywhere to any port on the new virtual server. It s easy to restrict access to one IP or several, but many administrators cannot predict beforehand which IP addresses they will be logging in from which means they fail to restrict critical access. Unfettered access to workloads in a cloud environment can be prevented by microsegmenting the network using built-in SG policies in cloud environments, so that breaches in one part of the application cannot spill over into other instances or services. 3

4 3 PROTECTION IN-PLACE REMEDIATION AND ACTIVE - GO BEYOND MONITORING Figure 3: In-place Remediation and Active Protection Customers cite elasticity and flexibility as the primary reasons for moving infrastructure to the cloud. However, tracking and maintaining control of security policies is where elasticity and flexibility can lead to issues. Virtual machines (VMs) are on the move changing from one domain to another and policies may not follow. This can lead to inadvertent exposure of backend servers to everyone. Security operations is really responsible for monitoring such changes to ensure that elasticity does not create misconfigurations or open back doors to sensitive data. As mentioned before, a visualization tool that makes these mistakes immediately apparent, combined with the ability to fix discovered issues in real-time and prevent them from recurring in the future, are the weapons of choice to combat moving assets. TIME-LIMITED ACCESS TO SERVICES WITH ON-DEMAND NETWORKING4 Figure 4: Dynamic Access Leases for Time-limited Access 4

5 If you remember years back, the City of San Francisco gave all the keys to their router kingdom to one network administrator, who ended up going rogue and would not give them up, even after being put in jail. Maintaining control over the keys to your network and infrastructure is the single most critical requirement for protecting cloud deployments. A security platform that allows a resource owner to assign access rights on an as-needed basis, on-thefly, for a limited amount of time, can help prevent such incidents. A contractor or employee can be granted access for a particular window of time. After the time allotted expires there is no need to manually revoke access it s automatic. This allows organizations to maintain a closed-by-default security posture by keeping the good guys in for just the right amount of time. Finally, implementing security training for your staff is a must in the opinion of many experts. In fact, according to the recent 2017 Cloud Security Spotlight Report, 53 percent of organizations plan to train and certify existing IT staff on cloud security, 30 percent plan to partner with a managed security services provider (MSP), and 27 percent will deploy additional security software to protect data and applications in the cloud.3 5 LOGGING AND INDEPENDENT AUDIT TRAIL WATCH EVERYTHING Figure 5: Logging and Independent Audit Trails In the worst-case scenario every workload dynamic administrator rights management, firewall policies, and file integrity management is in place, but things might still go wrong. A malicious visitor to the website may cause a denial of service by repeatedly refreshing a page that requires compute-intensive backend processes. How do you find the problem? Monitoring and logging every packet that passes across the cloud environment makes it possible to detect anomalous behavior and demonstrate that the security controls are in place as designed. Ensuring your security controls are in place as intended could be indispensable during an audit, when it is necessary to prove that controls are actually working. Crowd Research Partners, Cloud Security 2017 Spotlight Report, Holger Schulze, March 29,

6 IN CONCLUSION It s essential for IT security pros to have visibility into network architectures and on-system controls to provide better defense against the growing number of malicious attacks and inadvertent credential leaks. Deploying cloud controls everywhere and employing a central management dashboard make for an iron-clad system. These five capabilities will help deploy secure compute environments that will drive cloud adoption. ABOUT DOME9 SECURITY Dome9 delivers verifiable cloud infrastructure security and compliance to organizations across every public cloud. The Dome9 Arc SaaS platform leverages cloud-native security controls and cloud-agnostic policy automation to enable comprehensive network security, advanced IAM protection, and continuous compliance in Amazon Web Services (AWS), Microsoft Azure and Google Cloud environments. Dome9 offers technologies to assess security posture, detect misconfigurations, model gold standard policies, protect against attacks and identity theft, and conform to security best practices in the cloud. Organizations use Dome9 Arc for faster and more effective cloud security operations, pain-free compliance and governance, and rugged DevOps practices. Learn more at CONTACT US Dome9 Security, Inc. 701 Villa Street Mountain View, CA USA For a free security assessment or trail, please contact: US Sales: International Sales: Copyright 2017 Dome9 Security, Inc. All rights reserved. Other brand names are for identification purposes only and may be the trademarks of their holder(s). 6 FECB

Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers

WHITE PAPER Data safety for digital business. One solution for hybrid, physical, and virtual environments. It s common knowledge that the cloud plays a critical role in helping organizations accomplish

Christopher Covert Principal Product Manager Enterprise Solutions Group Copyright 2016 Symantec Endpoint Protection Cloud THE PROMISE OF CLOUD COMPUTING We re all moving from challenges like these Large

McAfee Public Cloud Server Security Suite Comprehensive security for AWS and Azure cloud workloads As enterprises shift their data center strategy to include and often lead with public cloud server instances,

SOLUTION OVERVIEW: ALERT LOGIC FOR AMAZON WEB SERVICES (AWS) SIEMLESS THREAT DETECTION FOR AWS Few things are as important to your business as maintaining the security of your sensitive data. Protecting

Microsoft Security Management MICROSOFT SECURITY MANAGEMENT SECURITY MANAGEMENT CHALLENGES Some large financial services organizations have as many as 40 or more different security vendors inside their

Cloud SecuriTY Spotlight Report Group Partner Information Security Presented by OVERVIEW Key FINDINGS Public cloud apps like Office 365 and Salesforce have become a dominant, driving force for change in

5 Trends That Will Impact Your IT Planning in 2012 Layered Security Executive Brief a QuinStreet Excutive Brief. 2011 Layered Security Many of the IT trends that your organization will tackle in 2012 aren

Comprehensive Database Security Safeguard against internal and external threats In today s enterprises, databases house some of the most highly sensitive, tightly regulated data the very data that is sought

The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise

align security instill confidence cyber security Securing data has become a top priority across all industries. High-profile data breaches and the proliferation of advanced persistent threats have changed

The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance enables enduser organizations and service providers to orchestrate and visualize the security of their

How to secure your Post-perimeter world WHAT IS THE POST-PERIMETER WORLD? In an increasingly cloud and mobile focused world, there are three key realities enterprises must consider in order to move forward

SESSION ID: STR-R14 THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES Doug Cahill Group Director and Senior Analyst Enterprise Strategy Group @dougcahill WHO IS THIS GUY? Topics The Composition

Access Governance in a Cloudy Environment Nabeel Nizar VP Worldwide Solutions Engineering @nabeelnizar Nabeel.Nizar@saviynt.com How do I manage multiple cloud instances from a single place? Is my sensitive

Enterprise & Cloud Security Greg Brown VP and CTO: Cloud and Internet of Things McAfee An Intel Company August 20, 2013 You Do NOT Want to Own the Data Intel: 15B 2015 Cisco: 50B 2020 2 August 21, 2013

Securing Amazon Web Services (AWS) EC2 Instances with Dome9 A Whitepaper by Dome9 Security, Ltd. Amazon Web Services (AWS) provides business flexibility for your company as you move to the cloud, but new

SOLUTION OVERVIEW CLOUD WORKLOAD SECURITY Bottom line: If you re in IT today, you re already in the cloud. As technology becomes an increasingly important element of business success, the adoption of highly

FireMon Security manager Regain control of firewalls with comprehensive firewall management The enterprise network is a complex machine. New network segments, new hosts and zero-day vulnerabilities are

Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches

Best Practices for Securing Your AWS Cloud Network Roy Feintuch CTO roy@dome9.com Harish Agastya CMO harish@dome9.com Who Are We An advanced SaaS-based security solution designed to secure public and hybrid

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology ebook BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS

Securing Your Amazon Web Services s IPS security for public cloud deployments It s no surprise that public cloud infrastructure has experienced fast adoption. It is quick and easy to spin up a workload,

with Advanced Email Protection OVERVIEW Today s sophisticated threats are changing. They re multiplying. They re morphing into new variants. And they re targeting people, not just technology. As organizations

whitepaper Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm When your company s infrastructure was built on the model of a traditional on-premise data center, security was pretty

SOLUTION OVERVIEW BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY Every organization is exploring how technology can help it disrupt current operating models, enabling it to better serve

NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should

Best Practices Guide Secure Access for Microsoft Office 365 & SaaS Applications Implement Robust Compliance for All Users, All Devices, and All Data This guide illustrates best practices for secure Office

RESEARCH Tripwire State of Cyber Hygiene Report August 2018 FOUNDATIONAL CONTROLS FOR SECURITY, COMPLIANCE & IT OPERATIONS When a high-profile cyberattack grabs the headlines, your first instinct may be

Data Sheet Published Date July 2015 Service Overview Whether large or small, companies have guests. Guests can be virtually anyone who conducts business with the company but is not an employee. Many of

SIEM: Five Requirements that Solve the Bigger Business Issues After more than a decade functioning in production environments, security information and event management (SIEM) solutions are now considered

AlgoSec Managing Security at the Speed of Business AlgoSec.com The AlgoSec Security Policy Management Suite As your data centers, networks and the security infrastructure that protects them continue to

White Paper The Emerging Role of a CDN in Facilitating Secure Cloud Deployments Sponsored by: Fastly Robert Ayoub August 2017 IDC OPINION The ongoing adoption of cloud services and the desire for anytime,

White Paper Next Generation Privilege Identity Management Nowadays enterprise IT teams are focused on adopting and supporting newer devices, applications and platforms to address business needs and keep